Not all corporate data breaches are of the spectacular variety that health insurer Anthem recently announced, involving 80 million members. But any company that offers a wellness program needs to take special precautions to ensure employee health information doesn’t fall into the wrong hands. This hazard exists whether the program is managed by an outside wellness program vendor, or the company’s own staff.

The hackers who penetrated Anthem’s electronic defenses undoubtedly were seeking data that could be used for identity theft purposes, with a financial motive. But a data breach involving personal health information (PHI), even an inadvertent one resulting from sloppy procedures or inadequate systems, can have serious consequences.

PHI is defined and protected by the secrecy rules in HIPAA, the federal health insurance portability law that has been in force since 2003. PHI includes any information about a health condition, medical treatment or payment information about an individual that is “personally identifiable,” i.e. someone looking at the data can determine who it pertains to.


“Everybody has become hyper-sensitive about this because of all the news about big data breaches,” said Alan Kohll, CEO and founder of Total Wellness, an Omaha, Neb.-based wellness program vendor. Some of that concern stems from bad experiences with vendors that failed to safeguard PHI, he added.

In response, some employers are asking wellness program vendors to assume unlimited liability for any consequences of a PHI leak, according to Kohll.

PHI data breaches can occur in very mundane, low-tech ways, and on a small scale. For example, consider the scenario in which a group of employees who have just undergone biometric screening are waiting in line to learn their results. Suppose the person giving out the results tells the employee at head of the line his BMI and blood pressure numbers in a manner that’s audible to others waiting in line. That means a breach has occurred – whether the others waiting in line are listening or not.

Similarly, if results are printed out and one employee’s results are visible to others, that’s a breach too. No hacking required.

Anonymous reports

Wellness vendors or employer wellness staff members can prevent such occurrences by, for example, simply handing the biometric testing results to the employee on a piece of paper. An added level of security entails not even printing the employee’s name on the paper, although of course the dispenser of the report must have a secure method of identifying whose results are whose.

At Total Wellness, computers that contain PHI are never connected to the Internet, thereby precluding external attacks. Also, the company limits the data it seeks on employees to the bare essentials, which do not include employee Social Security numbers or birthdates. Such data is, of course, what hackers are looking for, Kohll said.

Following is a checklist of security procedures offered by Total Wellness.

Physical precautions:

  • Secure workstations with physical locks on drawers and cabinets, and password locks on computers, and
  • Establish a procedure to increase or decrease storage without compromising data.

Administrative procedures:

  • Set sanctions for noncompliance with security procedures,
  • Track access to PHI,
  • Train staff on HIPAA privacy rules,
  • Designate a HIPAA privacy/security officer within your organization,
  • Develop emergency contingency plans if a data breach occurs, and
  • Evaluate your processes and procedures regularly.

Technical processes:

  • Enforce the use of activity logs,
  • Mandate appropriate login credentials by requiring specific characters, cases, letters or numbers in the sequence
  • Develop a system for identify verification, and
  • Encrypt any PHI you plan to transfer so it is unreadable to unauthorized recipients.


Register or login for access to this item and much more

All Employee Benefit News becomes archived within a week of it being published

Community members receive:
  • All recent and archived articles
  • Conference offers and updates
  • A full menu of enewsletter options
  • Web seminars, white papers, ebooks

Don't have an account? Register for Free Unlimited Access